fs/open.c in the Linux kernel before 2.6.22 does not properly strip setuid
and setgid bits when there is a write to a file, which allows local users
to gain the privileges of a different group, and obtain sensitive
information or possibly have unspecified other impact, by creating an
executable file in a setgid directory through the (1) truncate or (2)
ftruncate function in conjunction with memory-mapped I/O.
David Watson discovered that the kernel did not correctly strip
permissions when creating files in setgid directories. A local user
could exploit this to gain additional group privileges. This issue
only affected Ubuntu 6.06.
Updated: 2015-07-29 20:33:37 UTC (commit 9756)